Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win XP completely disabled by Khatra.exe, Xplorer.exe, ghost.exe


  • Please log in to reply
4 replies to this topic

#1 rohitmath

rohitmath

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 31 July 2009 - 09:27 AM

Hello all,

Am new to the forum. I have been infected by a crazy virus that has rendered my PC running Win XP i normal mode and safe mode.

Have been reading around quite a bit and tried to follow the preparation steps to get a DDS / hjt logs. But my system is really messed and i have got stuck at steps 5 and 6. I cannot enable the firewall nor does the computer let me run DDS even.

Right now I am getting a million windows running "Xplorer.exe" that seem to open once every second.

ITS Killing me

Am desparate as the PC runs my main accounting server and als served as a repository for a lot of data related to my work.

I did succeed in backing up all my data on a network share on a clean computer. Luckilly the computer i saved the data on did detect using E-Set Khatra.exe, autorun.inf and a whole bunch of exe files in the same names as folders in the drive. The files were all deleted. Have backed all the data up on DVD's for future use.

I am not eager to format reinstall the O/S on the system system from scratch as my accounting software is a pain to restore again.

History:

1) The system was infected with reader_s.exe (win32/Virut). E-Set got disabled along with windows firewall.

2) I found on the internet that I should use a combination of SuperAntispyware / Malwarebytes / Combofix. This resolved the problem and everything seemed fine.

3) A week later i started observing C:\windows\Xplorer.exe, Khatra.exe in task manager and random instances of ghost.exe.

Also noticed that every time a CD was inserted i was getting a prompt in the system tray that files were waiting to be written. These included autorun.inf and khatra.exe.

4) On opening the Taskmanager there were instances of Xplorer.exe. However the process could not be ended. Loaded the Computer in safe mode and the Xplorer.exe process was still running. However is was not able to end the process in the task manager as the feature was blanked out.

5) Tried to delete keys referencing the above mentioned exe files in the registry and restarted. The computer seemed fine for a day.

6) Now i am unable to run regedit and I'm getting multiple instances of Xplorer.exe being loaded in a cmd shell and more keep loading every second ( i am not kidding)

7) :flowers: Frustrated that winXP is unusable, I booted from a copy of Kaspersky rescue CD with updated definitions. It found 786 threats and the report said that all infected filed were deleted.

8) :thumbsup: Hapilly I rebooted into XP again and no change. I now notice that innummerable cmd of Xplorer.exe keep loading and the system is running out of resources. :trumpet:

I dont know what to do now. I have internet access and a CD burner on another system that helped me with the first infection.

Now i am lost and hope that someone can help me. I need the system up again urgently. Please HELP!!!!! I have been reading various resources on the internet and seem that i am running around in circles.

I will be more than willing to provide any more info that is required to an experienced eye.

Thanks,

Joe


Edited by rohitmath, 31 July 2009 - 09:42 AM.


BC AdBot (Login to Remove)

 


m

#2 rohitmath

rohitmath
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 31 July 2009 - 09:30 AM

Ok "a million" windowas was overstating it but they just do not stop opening. I am locked out of my registry and RRT and unhook.inf tool that someone had recommended did not work.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,719 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:42 AM

Posted 31 July 2009 - 11:37 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:42 AM

Posted 31 July 2009 - 12:42 PM

You will need to enlist an expert for this, they will need to remove your hard drive and try to rescue your data.

The infection cannot be cleaned to any certainty without wasting a lot of time.

After your data is retrieved you can have it reloaded on your computer after it's wiped and windows and your software has been reinstalled.
Chewy

No. Try not. Do... or do not. There is no try.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:42 AM

Posted 31 July 2009 - 12:43 PM

The expert should be familiar with Virut and what it infects.
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users